Being selective when analyzing auditing requirements

The following excerpt is from Chapter 6 of the MCSE Exam Cram 2 book "Designing security for a Microsoft Windows Server 2003 network" written by Ed Tittel, courtesy of Sams Publishing. Click to purchase, check out the complete book excerpt series or go straight to the practice exam if you think you're ready to be tested.

Analyzing auditing requirements

You need to be selective when auditing anything on a computer. Remember that auditing consumes resources. Furthermore, if you audit too much, the review of the security logs consumes a tremendous amount of human resources. Having said that, you can audit specific files and folders to determine who is accessing or changing information in them. Remember that all auditing is local; therefore, you have to set the auditing policy on the computer on which you want the auditing to occur. This can be accomplished through the Local Security Policy settings on the computer or through Group Policy, as shown in Figure 6.7.

Figure 6.7: You can set the audit policy for a computer through the Local Security Policy settings of the computer itself or through Group Policy.

You need to be familiar with the following settings in regard to auditing files and folders:

Auditing object access

Setting auditing entries on the resource

Auditing object access

This setting combines with the individual audit setting on the SACL of the file, folder, Registry key, or other resource on which you have applied audit settings. If you select this setting, the system examines the SACLs of all resources to determine whether auditing is required.

Setting auditing entries on the resource

After you have set the audit policy to Audit Object Access, you can then set the resources themselves to be audited. You can determine which users or groups you will audit for each resource. In this way, you can create an audit report that gives you the information that you need without having so much information so as to become unusable.

You can set the audit entries in the Advanced options of the Security tab for the object to be audited, as shown in Figure 6.8. This creates a SACL that the system automatically tracks and uses to create the entries for you in the security log of Event Viewer. If you choose, you can audit an entire hierarchy of folders by allowing the audit entries to propagate from the parent object to the child objects.

Figure 6.8: You can set audit entries in the Advanced options of the Security tab.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

It can be tempting to stray from the security roadmap security professionals have put in place when data breaches like the Sony and Anthem breaches are all over the news. But experts say it's crucial to stick to the security basics.

The Open Data Platform has arrived, but not all Hadoop vendors are on board. The initiative, aimed at boosting interoperability, formed a backdrop for discussion at the Strata + Hadoop World 2015 conference.